Installing Windows 10 behind sys-whonix as NetVM using Qubes Windows Tool

I would like to ask the experts in Qubes about the security issues of the Qubes system after Windows 10 is installed.

Prerequisite reminder: I usually use the Tor network when using Qubes because I am a lover and advocate of freedom and privacy. However, due to work reasons, many clear networks do not support Tor network access, and some software do not support Linux systems, so I want to install Windows, I want to set the Netvm of windows-vm to sys-whonix, so that it can use the Tor network all the time, and then install a fingerprint browser in Windows and add a residential proxy IP, so that the Tor traffic can immediately connect to the residential IP after the exit relay for clear network access.

1. Because the Windows system is terrible, I am worried that IP leaks and device information leaks will occur after Qubes is installed. Because of the Tor network protection, there is a risk of being hacked (provided that Windows software is safe, the software generally follows a small number of free open source software)?

2. Under what circumstances will my IP and device information be completely exposed?

3. About the necessity of installing Qubes Windows Tool? What specific improvements will there be after installation?

4. Has anyone ever performed a complete installation without errors? Can you tell me the complete installation steps and hardware configuration of windows10-vm?

Thank you very much to everyone who answered.

You can set up network pathing for a Windows instance in a qube like: Windows0 → residproxy0 → sys-whonix → sys-firewall → sys-net.

The path is inverse from the remote host:
remote host → residential IP → Tor network → your WAN IP.

Where you want to harden is in residproxy0 with explicit outbound firewall rules that DROP traffic (not REJECT but DROP).

Gentoo https://wiki.gentoo.org/wiki/IPSet and Arch https://wiki.archlinux.org/title/Ipset have nice wiki pages on ipsets.

iptables -P OUTPUT DROP
iptables -I OUTPUT --dport $udp_port -m set --match-set residproxyprovider dst -j ACCEPT

The modern and correct frontend to NetFilter is nftables but the concept is the same.

Keep in mind that some entities, who may have a purely political imperative rather than a legitimate imperative (only the guise of it) may be able to view some Tor traffic.

https://www.team-cymru.com/netflow

1. you accidentally set sys-firewall as NetVM or something else not behind sys-whonix as NetVM for Windows0.

2. your Windows instance receives malicious code that knows how to talk to the Minix based operating system running on the other processor (the Intel ME, the one really in control) or runs “undocumented” instructions on the processor that Xen (Qubes) is running on.

Also beware of the cpuid problem The cpuid problem inherent in x86_64 which may or may not affect you.

Sometimes nation state resources/tools are shared with organizations that are not just political but aggressively adversarial to their host population. Be aware of this if you are a whistleblower.

If you do some (just some) searching on this forum you will find comprehensive information and some guides on running Windows 10 in a qube. There is automation for this too.
Have you looked at GitHub - QubesOS/qvm-create-windows-qube: Spin up new Windows qubes quickly, effortlessly and securely on Qubes OS ?

Many Qubes users out there have an existing automated process for creating a Windows 10 template qube.

With Windows there will probably always be some errors. But you should be able to get Windows 10 running in a qube without an unreasonable amount of effort.

1+2 you can read here about IP leaks:

3+4, included in documentation: